SEBI vide its Circular dated 6th March, 2023 unveiled a framework for the adoption of cloud services.
Background:
Cloud computing is becoming increasingly popular for delivering IT services, thanks to its scalability, ease of deployment, and lower maintenance costs. However, it also introduces new cyber security risks and challenges that businesses need to be aware of. To help regulated entities(REs) navigate these risks, SEBI vide circular no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033, dated March 6, 2023 has introduced a cloud framework that sets baseline standards for security and regulatory compliances. This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and is designed to help REs implement secure and compliant cloud adoption practices.
Objective:
The main objective of the framework for adoption of cloud services by SEBI regulated entities (REs) is to identify and address the critical risks associated with cloud computing and to establish mandatory control measures that REs must implement before adopting cloud services. By following the guidelines outlined in the framework, REs can establish a robust risk management approach for cloud adoption, which includes assessing risks, implementing appropriate controls, monitoring compliance, and ensuring regulatory compliance.
Transition Period:
The transition Period for Regulated Entities is as follows:
- For the REs which are not utilizing any cloud services currently, the framework shall be applicable/ come into force from the date of issuance.
- For REs currently utilizing cloud services, SEBI has allowed a grace period of up to 12 months to comply with the framework, during which they must provide milestone-based updates to demonstrate their progress towards full compliance. Additionally, such REs shall provide regular milestone-based updates as follows:
Sr No. | Timeline | Milestone |
1. | Within one (1) month of issuance of framework | REs shall provide details of the cloud services, if any, currently deployed by them. |
2. | Within three (3) months of issuance of framework | The REs shall submit a roadmap (including details of major activities, timelines, etc.) for the implementation of the framework. |
3. | From three (3) to twelve (12) months of issuance of framework | Quarterly progress report as per the roadmap submitted by the RE. |
4. | After twelve (12) months of issuance of framework | Compliance with respect to the framework to be reported regularly |
Scope:
As per NIST, cloud computing has four types of deployment models i.e
- Public cloud
- Community cloud
- Private cloud
- Hybrid cloud
Approach:
The cloud framework is a principle-based framework which covers Governance, Risk and Compliance (GRC), selection of Cloud Service Providers (CSPs), data ownership and data localization, due-diligence by REs, security controls, legal and regulatory obligations, Disaster Recover (DR) & Business Continuity Planning (BCP), and vendor lock-in risk.
These principles serve as general guidelines to set the standards for REs to comply with while adopting cloud services. The principles are stated as below:
Principle 1: Governance, Risk and Compliance Sub-Framework
Principle 2: Selection of Cloud Service Providers
Principle 3: Data Ownership and Data Localization
Principle 4: Responsibility of the Regulated Entity
Principle 5: Due Diligence by the Regulated Entity
Principle 6: Security Controls
Principle 7: Contractual and Regulatory Obligations
Principle 8: BCP, Disaster Recovery & Cyber Resilience
Principle 9: Vendor Lock-in and Concentration Risk Management
The given framework will enable REs to improve their overall IT resilience and reduce cybersecurity risks, while ensuring regulatory compliance. By adhering to the guidelines outlined in the framework, REs can minimize the risks associated with cloud adoption and make informed decisions about implementing cloud services. The detailed framework is enclosed at Annexure-1 of the given circular.
This Circular is applicable to following Regulated Entities: Stock Exchanges, Clearing Corporations, Depositories, Stock Brokers through Exchanges, Depository Participants through Depositories, Asset Management Companies (AMCs)/ Mutual Funds (MFs), Qualified Registrars to an Issue and Share Transfer Agents, KYC Registration Agencies (KRAs) and shall come into force with immediate effect.